<html>
<head><meta charset="utf-8"><title>OSV blog post · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html">OSV blog post</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="243666584"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243666584" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243666584">(Jun 23 2021 at 15:14)</a>:</h4>
<p>An announcement of the OSV effort with a list integrations will be up in the next few days. Right now the plan is to mention that RustSec is working on an integration, but without linking to any branches/repos.<br>
I could push <a href="https://github.com/Shnatsel/advisory-db/tree/osv">https://github.com/Shnatsel/advisory-db/tree/osv</a> to the mainline db, a separate branch called <code>osv-experimental-v0.7</code> or some such. If we do that, the OSV blog post can link the the RustSec advisory DB repo directly and possibly go into more detail.<br>
The README includes a disclaimer that the OSV-exported data is not continuously updated.<br>
<span class="user-mention" data-user-id="132721">@Tony Arcieri</span> thoughts?</p>



<a name="243667616"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243667616" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243667616">(Jun 23 2021 at 15:21)</a>:</h4>
<p>I'd like to hear from <span class="user-mention" data-user-id="130046">@Alex Gaynor</span> too. Although it's fine if we just do nothing.</p>



<a name="243686331"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243686331" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243686331">(Jun 23 2021 at 17:36)</a>:</h4>
<p>Never mind! The blog post is going up soon and I don't want to rush this.</p>



<a name="243701316"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243701316" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243701316">(Jun 23 2021 at 19:34)</a>:</h4>
<p>So the post is going up tomorrow, I'll probably going to post it to Reddit with a comment with RustSec context specifically. My current draft for the comment is:</p>
<blockquote>
<p>For Rust this pulls data from <a href="https://github.com/RustSec/advisory-db">https://github.com/RustSec/advisory-db</a>, the security advisory database maintained by the <a href="https://www.rust-lang.org/governance/wgs/wg-secure-code">Rust Secure Code WG</a>. This is the same database that powers <a href="https://crates.io/crates/cargo-audit"><code>cargo-audit</code></a>.</p>
<p><strong>What this means for RustSec?</strong></p>
<p>We're happy to provide the RustSec database in an interchange format, as opposed to a custom format only. However, there are no plans to deprecate the RustSec TOML format, mostly because it's easier for humans to work with. TOML will continue to be the source of truth, with OSV JSON representation being derived from it.</p>
<p>As usual, if you have discovered a security issue in your code and would like to notify your dependents so they could upgrade to a fixed version, be sure to <a href="https://github.com/RustSec/advisory-db">report it</a>. (If you've just found a memory safety issue and are not sure if it qualifies, get in touch and we'll help you assess the impact).</p>
<p><strong>Implementation notes</strong></p>
<p><code>serde_json</code> made generating the JSON a breeze. Moreover, exporting the entire database only takes 200 milliseconds, and most of that time is spent walking git history to get file modification dates (which, as it turned out, is <a href="https://github.com/RustSec/rustsec/blob/63f5665eebb886890152bfaaa2d9a1d0cc697885/rustsec/src/repository/git/modification_time.rs#L17">not as simple as calling a library function</a>).</p>
<p>Google has kindly sponsored the RustSec/OSV integration work. I'd do it anyway because it's a good idea, but it was nice to have it as a paid 20% project. Normally I work on Rust projects purely in my spare time.</p>
<p>The code for the export can be found <a href="https://github.com/RustSec/rustsec/pull/366">here</a>, and <a href="https://github.com/Shnatsel/advisory-db/tree/osv">this</a> is what the exported data looks like.</p>
</blockquote>



<a name="243701365"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243701365" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243701365">(Jun 23 2021 at 19:34)</a>:</h4>
<p>Feedback and edits are very welcome</p>



<a name="243784602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243784602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243784602">(Jun 24 2021 at 13:23)</a>:</h4>
<p>The blog post is up: <a href="https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html">https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html</a><br>
And there are news articles linking to advisory-db repo now:<br>
<a href="https://www.theregister.com/2021/06/24/google_security_fix/">https://www.theregister.com/2021/06/24/google_security_fix/</a><br>
<a href="https://venturebeat.com/2021/06/24/google-extends-open-source-vulnerabilities-database-to-python-rust-go-and-dwf/">https://venturebeat.com/2021/06/24/google-extends-open-source-vulnerabilities-database-to-python-rust-go-and-dwf/</a><br>
Probably more to come</p>



<a name="243785821"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243785821" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243785821">(Jun 24 2021 at 13:33)</a>:</h4>
<p><a href="https://securityboulevard.com/2021/06/google-shares-format-for-open-source-vulnerability-data/">https://securityboulevard.com/2021/06/google-shares-format-for-open-source-vulnerability-data/</a><br>
<a href="https://siliconangle.com/2021/06/24/google-announces-unified-schema-make-sharing-vulnerabilities-easier/">https://siliconangle.com/2021/06/24/google-announces-unified-schema-make-sharing-vulnerabilities-easier/</a><br>
but these two don't link to us directly</p>



<a name="243787084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243787084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243787084">(Jun 24 2021 at 13:41)</a>:</h4>
<p><a href="https://www.phoronix.com/scan.php?page=news_item&amp;px=Google-Vulnerability-Schema">https://www.phoronix.com/scan.php?page=news_item&amp;px=Google-Vulnerability-Schema</a><br>
Simply reiterates items from the blog, doesn't link to us directly</p>



<a name="243787377"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243787377" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243787377">(Jun 24 2021 at 13:43)</a>:</h4>
<p>And the link to the Google blog post is now <a href="https://github.com/rust-lang/rust/issues/1">#1</a> on the Rust subreddit</p>



<a name="243808629"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243808629" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243808629">(Jun 24 2021 at 16:07)</a>:</h4>
<p>nice</p>



<a name="243962611"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243962611" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243962611">(Jun 25 2021 at 19:52)</a>:</h4>
<p>More press with links directly to us: <br>
<a href="https://www.zdnet.com/article/google-rolls-out-a-unified-security-vulnerability-schema-for-open-source-software/">https://www.zdnet.com/article/google-rolls-out-a-unified-security-vulnerability-schema-for-open-source-software/</a><br>
<a href="https://www.techzine.eu/news/devops/61841/google-unveils-a-unified-vulnerability-schema-for-open-source/">https://www.techzine.eu/news/devops/61841/google-unveils-a-unified-vulnerability-schema-for-open-source/</a><br>
<a href="https://www.techradar.com/news/google-wants-to-create-a-standard-vocabulary-for-describing-security-vulnerabilities">https://www.techradar.com/news/google-wants-to-create-a-standard-vocabulary-for-describing-security-vulnerabilities</a></p>



<a name="243962671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20blog%20post/near/243962671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20blog.20post.html#243962671">(Jun 25 2021 at 19:53)</a>:</h4>
<p>Plus translations of that to various other languages</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>